Skip to content

Split out core logic from library dependencies #139

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
preuss-adam wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Split out core logic from library dependencies #139

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
17721a5
Update samples to latest.
preuss-adam Jul 17, 2025
d0e56b5
Move everything into a new biscuit submodule.
preuss-adam Jan 20, 2026
ee0e55e
Introduce DefaultKeyPairFactory.
preuss-adam Jan 20, 2026
da20769
Introduce DefaultPublicKeyFactory.
preuss-adam Jan 20, 2026
8c0d625
Move all the default factories into their own module.
preuss-adam Jan 20, 2026
e68f960
Introduce PatternMatcher.Factory, similar to the KeyPair.Factory.
preuss-adam Jan 20, 2026
b3f3da5
Shuffle out things to biscuit-core.
preuss-adam Jan 29, 2026
b354d00
Support a wider set of errors for key generation.
preuss-adam Feb 11, 2026
ecb9212
Increment version to 4.1.0
preuss-adam Feb 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions biscuit-core/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
<!--
~ Copyright (c) 2019 Geoffroy Couprie <contact@geoffroycouprie.com> and Contributors to the Eclipse Foundation.
~ SPDX-License-Identifier: Apache-2.0
-->

<project>
<modelVersion>4.0.0</modelVersion>
<artifactId>biscuit-core</artifactId>
<packaging>jar</packaging>

<parent>
<groupId>org.eclipse</groupId>
<artifactId>biscuit-java</artifactId>
<version>4.1.0</version>
</parent>

<dependencies>
<dependency>
<groupId>com.google.protobuf</groupId>
<artifactId>protobuf-java</artifactId>
<version>${protobuf.version}</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>${jackson.version}</version>
</dependency>
</dependencies>
</project>
0 .../biscuit/crypto/BlockSignatureBuffer.java → .../biscuit/crypto/BlockSignatureBuffer.java
View file
Open in desktop
File renamed without changes.
0 ...g/eclipse/biscuit/crypto/KeyDelegate.java → ...g/eclipse/biscuit/crypto/KeyDelegate.java
View file
Open in desktop
File renamed without changes.
56 changes: 56 additions & 0 deletions biscuit-core/src/main/java/org/eclipse/biscuit/crypto/KeyPair.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
/*
* Copyright (c) 2019 Geoffroy Couprie <contact@geoffroycouprie.com> and Contributors to the Eclipse Foundation.
* SPDX-License-Identifier: Apache-2.0
*/

package org.eclipse.biscuit.crypto;

import biscuit.format.schema.Schema.PublicKey.Algorithm;
import java.security.SecureRandom;
import java.util.ServiceLoader;
import java.util.stream.Collectors;
import org.eclipse.biscuit.error.Error;
import org.eclipse.biscuit.token.builder.Utils;

/** Private and public key. */
public abstract class KeyPair implements Signer {
public interface Factory {
KeyPair generate(Algorithm algorithm, byte[] bytes) throws Error.FormatError;

KeyPair generate(Algorithm algorithm, SecureRandom rng) throws Error.FormatError;
}

private static final Factory factory;

static {
var factories = ServiceLoader.load(KeyPair.Factory.class).stream().collect(Collectors.toList());
if (factories.size() != 1) {
throw new IllegalStateException(
"A single KeyPair implementation expected; found " + factories.size());
}
factory = factories.get(0).get();
}

public static KeyPair generate(Algorithm algorithm) throws Error.FormatError {
return generate(algorithm, new SecureRandom());
}

public static KeyPair generate(Algorithm algorithm, String hex) throws Error.FormatError {
return generate(algorithm, Utils.hexStringToByteArray(hex));
}

public static KeyPair generate(Algorithm algorithm, byte[] bytes) throws Error.FormatError {
return factory.generate(algorithm, bytes);
}

public static KeyPair generate(Algorithm algorithm, SecureRandom rng) throws Error.FormatError {
return factory.generate(algorithm, rng);
}

public abstract byte[] toBytes();

public abstract String toHex();

@Override
public abstract PublicKey getPublicKey();
}
56 changes: 15 additions & 41 deletions ...org/eclipse/biscuit/crypto/PublicKey.java → ...org/eclipse/biscuit/crypto/PublicKey.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,34 +12,34 @@
import java.security.NoSuchAlgorithmException;
import java.security.SignatureException;
import java.util.Optional;
import java.util.ServiceLoader;
import java.util.Set;
import java.util.stream.Collectors;
import org.eclipse.biscuit.error.Error;
import org.eclipse.biscuit.token.builder.Utils;

public abstract class PublicKey {
public interface Factory {
PublicKey load(byte[] bytes) throws Error.FormatError.InvalidKey;
PublicKey load(Algorithm algorithm, byte[] bytes) throws Error.FormatError;
}

public static final Factory DEFAULT_ED25519_FACTORY =
bytes -> Ed25519PublicKey.loadEd25519(bytes);
public static final Factory DEFAULT_SECP256R1_FACTORY =
bytes -> SECP256R1PublicKey.loadSECP256R1(bytes);
private static final Factory factory;

private static volatile Factory ed25519Factory = DEFAULT_ED25519_FACTORY;
private static volatile Factory secp256r1Factory = DEFAULT_SECP256R1_FACTORY;
static {
var factories =
ServiceLoader.load(PublicKey.Factory.class).stream().collect(Collectors.toList());
if (factories.size() != 1) {
throw new IllegalStateException(
"A single PublicKey implementation expected; found " + factories.size());
}
factory = factories.get(0).get();
}

private static final Set<Algorithm> SUPPORTED_ALGORITHMS =
Set.of(Algorithm.Ed25519, Algorithm.SECP256R1);

public static PublicKey load(Algorithm algorithm, byte[] data) throws Error.FormatError {
if (algorithm == Algorithm.Ed25519) {
return ed25519Factory.load(data);
} else if (algorithm == Algorithm.SECP256R1) {
return secp256r1Factory.load(data);
} else {
throw new IllegalArgumentException("Unsupported algorithm");
}
return factory.load(algorithm, data);
}

public static PublicKey load(Algorithm algorithm, String hex) throws Error.FormatError {
Expand All @@ -66,34 +66,8 @@ public static PublicKey deserialize(Schema.PublicKey pk) throws Error.FormatErro
return PublicKey.load(pk.getAlgorithm(), pk.getKey().toByteArray());
}

public static Optional<Error> validateSignatureLength(Algorithm algorithm, int length) {
Optional<Error> error = Optional.empty();
if (algorithm == Algorithm.Ed25519) {
if (length != Ed25519KeyPair.SIGNATURE_LENGTH) {
error = Optional.of(new Error.FormatError.Signature.InvalidSignatureSize(length));
}
} else if (algorithm == Algorithm.SECP256R1) {
if (length < SECP256R1KeyPair.MINIMUM_SIGNATURE_LENGTH
|| length > SECP256R1KeyPair.MAXIMUM_SIGNATURE_LENGTH) {
error = Optional.of(new Error.FormatError.Signature.InvalidSignatureSize(length));
}
} else {
error =
Optional.of(new Error.FormatError.Signature.InvalidSignature("unsupported algorithm"));
}
return error;
}

public static void setEd25519Factory(Factory factory) {
ed25519Factory = factory;
}

public static void setSECP256R1Factory(Factory factory) {
secp256r1Factory = factory;
}

public abstract Algorithm getAlgorithm();

public abstract boolean verify(byte[] data, byte[] signature)
public abstract Optional<Error> verify(byte[] data, byte[] signature)
throws InvalidKeyException, SignatureException, NoSuchAlgorithmException;
}
0 ...va/org/eclipse/biscuit/crypto/Signer.java → ...va/org/eclipse/biscuit/crypto/Signer.java
View file
Open in desktop
File renamed without changes.
11 changes: 5 additions & 6 deletions ...ava/org/eclipse/biscuit/crypto/Token.java → ...ava/org/eclipse/biscuit/crypto/Token.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,13 +72,12 @@ public Result<Void, Error> verify(PublicKey root)

byte[] payload =
BlockSignatureBuffer.generateBlockSignaturePayloadV0(block, nextKey, Optional.empty());
if (currentKey.verify(payload, signature)) {
currentKey = nextKey;
} else {
return Result.err(
new Error.FormatError.Signature.InvalidSignature(
"signature error: Verification equation was not satisfied"));
var verificationResult = currentKey.verify(payload, signature);
if (verificationResult.isPresent()) {
return Result.err(verificationResult.get());
}

currentKey = nextKey;
}

if (this.next.getPublicKey().equals(currentKey)) {
Expand Down
0 ...clipse/biscuit/crypto/TokenSignature.java → ...clipse/biscuit/crypto/TokenSignature.java
View file
Open in desktop
File renamed without changes.
0 .../eclipse/biscuit/crypto/package-info.java → .../eclipse/biscuit/crypto/package-info.java
View file
Open in desktop
File renamed without changes.
0 ...va/org/eclipse/biscuit/datalog/Check.java → ...va/org/eclipse/biscuit/datalog/Check.java
View file
Open in desktop
File renamed without changes.
0 ...g/eclipse/biscuit/datalog/Combinator.java → ...g/eclipse/biscuit/datalog/Combinator.java
View file
Open in desktop
File renamed without changes.
0 ...ava/org/eclipse/biscuit/datalog/Fact.java → ...ava/org/eclipse/biscuit/datalog/Fact.java
View file
Open in desktop
File renamed without changes.
0 .../org/eclipse/biscuit/datalog/FactSet.java → .../org/eclipse/biscuit/datalog/FactSet.java
View file
Open in desktop
File renamed without changes.
0 ...a/org/eclipse/biscuit/datalog/MapKey.java → ...a/org/eclipse/biscuit/datalog/MapKey.java
View file
Open in desktop
File renamed without changes.
0 ...pse/biscuit/datalog/MatchedVariables.java → ...pse/biscuit/datalog/MatchedVariables.java
View file
Open in desktop
File renamed without changes.
0 ...a/org/eclipse/biscuit/datalog/Origin.java → ...a/org/eclipse/biscuit/datalog/Origin.java
View file
Open in desktop
File renamed without changes.
0 ...ava/org/eclipse/biscuit/datalog/Pair.java → ...ava/org/eclipse/biscuit/datalog/Pair.java
View file
Open in desktop
File renamed without changes.
0 ...rg/eclipse/biscuit/datalog/Predicate.java → ...rg/eclipse/biscuit/datalog/Predicate.java
View file
Open in desktop
File renamed without changes.
0 ...ava/org/eclipse/biscuit/datalog/Rule.java → ...ava/org/eclipse/biscuit/datalog/Rule.java
View file
Open in desktop
File renamed without changes.
0 .../org/eclipse/biscuit/datalog/RuleSet.java → .../org/eclipse/biscuit/datalog/RuleSet.java
View file
Open in desktop
File renamed without changes.
0 ...rg/eclipse/biscuit/datalog/RunLimits.java → ...rg/eclipse/biscuit/datalog/RunLimits.java
View file
Open in desktop
File renamed without changes.
0 ...clipse/biscuit/datalog/SchemaVersion.java → ...clipse/biscuit/datalog/SchemaVersion.java
View file
Open in desktop
File renamed without changes.
0 ...va/org/eclipse/biscuit/datalog/Scope.java → ...va/org/eclipse/biscuit/datalog/Scope.java
View file
Open in desktop
File renamed without changes.
0 .../eclipse/biscuit/datalog/SymbolTable.java → .../eclipse/biscuit/datalog/SymbolTable.java
View file
Open in desktop
File renamed without changes.
0 ...biscuit/datalog/TemporarySymbolTable.java → ...biscuit/datalog/TemporarySymbolTable.java
View file
Open in desktop
File renamed without changes.
0 ...ava/org/eclipse/biscuit/datalog/Term.java → ...ava/org/eclipse/biscuit/datalog/Term.java
View file
Open in desktop
File renamed without changes.
0 ...lipse/biscuit/datalog/TrustedOrigins.java → ...lipse/biscuit/datalog/TrustedOrigins.java
View file
Open in desktop
File renamed without changes.
0 ...va/org/eclipse/biscuit/datalog/World.java → ...va/org/eclipse/biscuit/datalog/World.java
View file
Open in desktop
File renamed without changes.
0 ...scuit/datalog/expressions/Expression.java → ...scuit/datalog/expressions/Expression.java
View file
Open in desktop
File renamed without changes.
7 changes: 2 additions & 5 deletions ...lipse/biscuit/datalog/expressions/Op.java → ...lipse/biscuit/datalog/expressions/Op.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,6 @@
package org.eclipse.biscuit.datalog.expressions;

import biscuit.format.schema.Schema;
import com.google.re2j.Matcher;
import com.google.re2j.Pattern;
import java.io.UnsupportedEncodingException;
import java.util.ArrayDeque;
import java.util.ArrayList;
Expand All @@ -24,6 +22,7 @@
import org.eclipse.biscuit.datalog.Term;
import org.eclipse.biscuit.error.Error;
import org.eclipse.biscuit.error.Result;
import org.eclipse.biscuit.regex.PatternMatcher;
import org.eclipse.biscuit.token.builder.Expression;

public abstract class Op {
Expand Down Expand Up @@ -455,9 +454,7 @@ public void evaluate(
"cannot find string in symbols for index " + ((Term.Str) right).value());
}

Pattern p = Pattern.compile(rightS.get());
Matcher m = p.matcher(leftS.get());
stack.push(new Term.Bool(m.find()));
stack.push(new Term.Bool(PatternMatcher.create(rightS.get()).match(leftS.get())));
}
break;
case Add:
Expand Down
0 ...eclipse/biscuit/datalog/package-info.java → ...eclipse/biscuit/datalog/package-info.java
View file
Open in desktop
File renamed without changes.
42 changes: 42 additions & 0 deletions ...java/org/eclipse/biscuit/error/Error.java → ...java/org/eclipse/biscuit/error/Error.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Collectors;
import java.util.stream.IntStream;
import org.eclipse.biscuit.datalog.expressions.Expression;

public abstract class Error extends Exception {
Expand Down Expand Up @@ -265,6 +267,46 @@ public JsonNode toJson() {
}
}

public static final class BlockSignatureDeserializationError extends FormatError {
private final String err;

public BlockSignatureDeserializationError(byte[] signature) {
this.err =
"block signature deserialization error: "
+ IntStream.range(0, signature.length)
.mapToObj(i -> String.valueOf(signature[i] & 0xff))
.collect(Collectors.joining(", ", "[", "]"));
}

@Override
public boolean equals(Object o) {
if (this == o) {
return true;
}
if (o == null || getClass() != o.getClass()) {
return false;
}
BlockSignatureDeserializationError other = (BlockSignatureDeserializationError) o;
return err.equals(other.err);
}

@Override
public int hashCode() {
return Objects.hash(err);
}

@Override
public String toString() {
return "Err(FormatError.BlockSignatureDeserializationError{ error: " + err + " }";
}

@Override
public JsonNode toJson() {
return FormatError.jsonWrapper(
objectMapper.createObjectNode().put("BlockSignatureDeserializationError", this.err));
}
}

public static final class BlockSerializationError extends FormatError {
private final String err;

Expand Down
0 ...rg/eclipse/biscuit/error/FailedCheck.java → ...rg/eclipse/biscuit/error/FailedCheck.java
View file
Open in desktop
File renamed without changes.
0 ...org/eclipse/biscuit/error/LogicError.java → ...org/eclipse/biscuit/error/LogicError.java
View file
Open in desktop
File renamed without changes.
0 ...ava/org/eclipse/biscuit/error/Result.java → ...ava/org/eclipse/biscuit/error/Result.java
View file
Open in desktop
File renamed without changes.
0 ...g/eclipse/biscuit/error/package-info.java → ...g/eclipse/biscuit/error/package-info.java
View file
Open in desktop
File renamed without changes.
28 changes: 28 additions & 0 deletions biscuit-core/src/main/java/org/eclipse/biscuit/regex/PatternMatcher.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
package org.eclipse.biscuit.regex;

import java.util.ServiceLoader;
import java.util.stream.Collectors;

public abstract class PatternMatcher {
public interface Factory {
PatternMatcher create(String regex);
}

private static final Factory factory;

static {
var factories =
ServiceLoader.load(PatternMatcher.Factory.class).stream().collect(Collectors.toList());
if (factories.size() != 1) {
throw new IllegalStateException(
"A single PatternMatcher implementation expected; found " + factories.size());
}
factory = factories.get(0).get();
}

public static PatternMatcher create(String regex) {
return factory.create(regex);
}

public abstract boolean match(CharSequence input);
}
0 ...org/eclipse/biscuit/token/Authorizer.java → ...org/eclipse/biscuit/token/Authorizer.java
View file
Open in desktop
File renamed without changes.
0 ...va/org/eclipse/biscuit/token/Biscuit.java → ...va/org/eclipse/biscuit/token/Biscuit.java
View file
Open in desktop
File renamed without changes.
0 ...java/org/eclipse/biscuit/token/Block.java → ...java/org/eclipse/biscuit/token/Block.java
View file
Open in desktop
File renamed without changes.
0 ...ava/org/eclipse/biscuit/token/Policy.java → ...ava/org/eclipse/biscuit/token/Policy.java
View file
Open in desktop
File renamed without changes.
0 ...e/biscuit/token/RevocationIdentifier.java → ...e/biscuit/token/RevocationIdentifier.java
View file
Open in desktop
File renamed without changes.
0 ...iscuit/token/ThirdPartyBlockContents.java → ...iscuit/token/ThirdPartyBlockContents.java
View file
Open in desktop
File renamed without changes.
0 ...biscuit/token/ThirdPartyBlockRequest.java → ...biscuit/token/ThirdPartyBlockRequest.java
View file
Open in desktop
File renamed without changes.
6 changes: 3 additions & 3 deletions ...ipse/biscuit/token/UnverifiedBiscuit.java → ...ipse/biscuit/token/UnverifiedBiscuit.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -291,9 +291,9 @@ public UnverifiedBiscuit appendThirdPartyBlock(
blockResponse.getPayload(),
previousBlock.getSignature(),
BlockSignatureBuffer.THIRD_PARTY_SIGNATURE_VERSION);
if (!externalKey.verify(payload, blockResponse.getSignature())) {
throw new Error.FormatError.Signature.InvalidSignature(
"signature error: Verification equation was not satisfied");
var verificationResult = externalKey.verify(payload, blockResponse.getSignature());
if (verificationResult.isPresent()) {
throw verificationResult.get();
}

var res = Block.fromBytes(blockResponse.getPayload(), Optional.of(externalKey));
Expand Down
0 ...clipse/biscuit/token/builder/Biscuit.java → ...clipse/biscuit/token/builder/Biscuit.java
View file
Open in desktop
File renamed without changes.
0 .../eclipse/biscuit/token/builder/Block.java → .../eclipse/biscuit/token/builder/Block.java
View file
Open in desktop
File renamed without changes.
0 .../eclipse/biscuit/token/builder/Check.java → .../eclipse/biscuit/token/builder/Check.java
View file
Open in desktop
File renamed without changes.
0 ...pse/biscuit/token/builder/Expression.java → ...pse/biscuit/token/builder/Expression.java
View file
Open in desktop
File renamed without changes.
0 ...g/eclipse/biscuit/token/builder/Fact.java → ...g/eclipse/biscuit/token/builder/Fact.java
View file
Open in desktop
File renamed without changes.
0 ...eclipse/biscuit/token/builder/MapKey.java → ...eclipse/biscuit/token/builder/MapKey.java
View file
Open in desktop
File renamed without changes.
0 ...ipse/biscuit/token/builder/Predicate.java → ...ipse/biscuit/token/builder/Predicate.java
View file
Open in desktop
File renamed without changes.
0 ...g/eclipse/biscuit/token/builder/Rule.java → ...g/eclipse/biscuit/token/builder/Rule.java
View file
Open in desktop
File renamed without changes.
0 .../eclipse/biscuit/token/builder/Scope.java → .../eclipse/biscuit/token/builder/Scope.java
View file
Open in desktop
File renamed without changes.
0 ...g/eclipse/biscuit/token/builder/Term.java → ...g/eclipse/biscuit/token/builder/Term.java
View file
Open in desktop
File renamed without changes.
0 .../eclipse/biscuit/token/builder/Utils.java → .../eclipse/biscuit/token/builder/Utils.java
View file
Open in desktop
File renamed without changes.
0 ...e/biscuit/token/builder/package-info.java → ...e/biscuit/token/builder/package-info.java
View file
Open in desktop
File renamed without changes.
0 ...e/biscuit/token/builder/parser/Error.java → ...e/biscuit/token/builder/parser/Error.java
View file
Open in desktop
File renamed without changes.
0 ...oken/builder/parser/ExpressionParser.java → ...oken/builder/parser/ExpressionParser.java
View file
Open in desktop
File renamed without changes.
0 .../biscuit/token/builder/parser/Parser.java → .../biscuit/token/builder/parser/Parser.java
View file
Open in desktop
File renamed without changes.
0 ...scuit/token/format/ExternalSignature.java → ...scuit/token/format/ExternalSignature.java
View file
Open in desktop
File renamed without changes.
0 ...g/eclipse/biscuit/token/format/Proof.java → ...g/eclipse/biscuit/token/format/Proof.java
View file
Open in desktop
File renamed without changes.
Loading